buffer overrun: dangerous usage of strncpy+strncat

This commit is contained in:
Daniel Marjamäki 2009-02-20 21:16:07 +00:00
parent 15e86db3ed
commit ed86d924df
2 changed files with 18 additions and 11 deletions

View File

@ -105,7 +105,6 @@ void CheckBufferOverrunClass::CheckBufferOverrun_CheckScope(const Token *tok, co
}
}
int indentlevel = 0;
for (; tok; tok = tok->next())
{
@ -159,7 +158,6 @@ void CheckBufferOverrunClass::CheckBufferOverrun_CheckScope(const Token *tok, co
_errorLogger->bufferOverrun(_tokenizer, tok);
}
}
continue;
}
}
else if (Token::Match(tok, "memset|memcpy|memmove|memcmp|strncpy|fgets"))
@ -256,8 +254,8 @@ void CheckBufferOverrunClass::CheckBufferOverrun_CheckScope(const Token *tok, co
}
continue;
}
// Dangerous usage of strncat..
if (Token::Match(tok, "strncat ( %varid% , %any% , %num% )", varid))
{
@ -265,7 +263,16 @@ void CheckBufferOverrunClass::CheckBufferOverrun_CheckScope(const Token *tok, co
if (n == size)
_errorLogger->strncatUsage(_tokenizer, tok);
}
// Dangerous usage of strncpy + strncat..
if (Token::Match(tok, "strncpy|strncat ( %varid% , %any% , %num% ) ; strncat ( %varid% , %any% , %num% )", varid))
{
int n = atoi(tok->strAt(6)) + atoi(tok->strAt(15));
if (n > size)
_errorLogger->strncatUsage(_tokenizer, tok->tokAt(9));
}
// sprintf..
if (varid > 0 && Token::Match(tok, "sprintf ( %varid% , %str% ,", varid))

View File

@ -91,8 +91,8 @@ private:
TEST_CASE(snprintf1);
TEST_CASE(snprintf2);
TEST_CASE(snprintf3);
// TODO TEST_CASE(strncat1);
TEST_CASE(strncat1);
TEST_CASE(strncat2);
TEST_CASE(varid1);
@ -473,11 +473,11 @@ private:
{
check("void f()\n"
"{\n"
" char str[10];\n"
" strncpy(str, a, 5);\n"
" strncat(str, b, 5);\n"
" char str[16];\n"
" strncpy(str, a, 10);\n"
" strncat(str, b, 10);\n"
"}\n");
ASSERT_EQUALS(std::string("[test.cpp:5]: (error) possible buffer overrun"), errout.str());
ASSERT_EQUALS(std::string("[test.cpp:5]: (all) Dangerous usage of strncat, possible buffer overrun\n"), errout.str());
}
void strncat2()